MacOS Splunk Enterprise Management

Words on configuring Splunk Enterprise for MacOS and by MacOS, and what I mean by that is machines, the server and all clients with client forwarders installed are ALL running Apple MacOS.

At the end of the day all I am doing now is deploying apps to the local forwarders, not relying on the Enterprise app to handle client scripts and inputs – will end up having JAMF handle local forwarder app management moving forward.

Changing OD password by command line

Login to the server running Open Directory and run the following to be prompted to change snoopdog’s password

sudo passwd -i OpenDirectory -l /LDAPv3/ -u diradmin snoopdog

found here:


     passwd — modify a user’s password


     passwd [-i infosystem [-l location]] [-u authname] [user]


     The passwd utility changes the user’s password.  If the user is not the super-user, passwd first prompts for the current password and will not continue unless the correct password is entered.

     When entering the new password, the characters entered do not echo, in order to avoid the password being seen by a passer-by.  The passwd utility

     prompts for the new password twice in order to detect typing errors.

     The new password should be at least six characters long and not purely alphabetic.  Its total length should be less than _PASSWORD_LEN (currently 128

     characters), although some directory systems allow longer passwords.  Numbers, upper case letters, and meta characters are encouraged.

     Once the password has been verified, passwd communicates the new password to the directory system.

     -i infosystem

           This option specifies where the password update should be applied.  Under Mac OS X 10.5 and later, supported directory systems are:

           PAM   (default) Pluggable Authentication Modules.


                 A system conforming to Open Directory APIs and supporting updates (including LDAP, etc).  If no -l option is specified, the search node is used.

           file  The local flat-files (included for legacy configurations).

           nis   A remote NIS server containing the user’s password.

     -l location

           This option causes the password to be updated in the given location of the chosen directory system.

           for file,

                 location may be a file name (/etc/master.passwd is the default)

           for nis,

                 location may be a NIS domainname

           for opendirectory,

                 location may be a directory node name

           for PAM,

                 location is not used

     -u authname

           This option specifies the user name to use when authenticating to the directory node.

     user  This optional argument specifies the user account whose password will be changed.  This account’s current password may be required, even when

           run as the super-user, depending on the directory system.


     /etc/master.passwd  The user database

     /etc/passwd         A Version 7 format password file

     /etc/passwd.XXXXXX  Temporary copy of the password file


     chpass(1), login(1), dscl(1), passwd(5), pwd_mkdb(8), vipw(8)

     Robert Morris and Ken Thompson, UNIX password security.


     A passwd command appeared in Version 6 AT&T UNIX.

Mac OS X                        August 18, 2008                       Mac OS X

DSCL and scripting mentioned here:



Open Directory audit log data into Splunk

illustrated Splunk server configuration steps

I put Splunk server scripts for dispersing here

Splunk >> bin >> scripts

sudo nano /Applications/Splunk/bin/scripts/


Script input:

sudo log stream –level info –style syslog


# trying json

sudo log stream –level info –style syslog







Forwarder Management:

Settings >> Forwarder management

Screen Shot 2019-09-21 at 7.59.06 AM.png

Settings >> Forwarder management >> Clients

B2019-09-21 at 8.05.33 AM.pngSettings >> Forwarder management >> Server Classes

Screen Shot 2019-09-21 at 8.00.03 AM.png


New Server Class

Screen Shot 2019-09-21 at 8.00.29 AM.png



Data >> Data Inputs

Screen Shot 2019-09-21 at 8.01.03 AM.png


Data >> Data Inputs >> Forwarded Inputs >> Scripts

Screen Shot 2019-09-21 at 8.10.52 AM.png

Change the sourcetype to jsonc2019-09-21 at 8.13.14 AM.png


Once everything is in place you should be able to search and find information in this example I created am account “teddyboy” in OPen Directory, the following shows a query from the script which stream the slapd, and opendirectoryd data

D09-21 at 8.41.17 AM.png


Change/check the local inputs.conf files from the scripts running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/apps/_server_app_OD_Servers/local/inputs.conf



  GNU nano 2.0.6 File: …ps/_server_app_OD_Servers/local/inputs.conf           


disabled = 0

index = default

interval = 60.0

sourcetype = linux_messages_syslog


Trying this

sourcetype = oracle:audit:xml

or this

sourcetype = _json

Change/check the local inputs.conf files from the forwarder running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/system/local/inputs.conf





host = ClientMachineHostName.local

Change/check the local output.conf files from the forwarder running on the Open Directory server.


defaultGroup = default-autolb-group


server =




To search and find OD account creation success, I query from the json sourcetype

ODNodeCreateRecord request


This records barbie account record getting created: dsAttrTypeStandard:RecordName\= (\n barbie\n

{ “category:session“, “processImageUUID:DB3-0037-332C-8D8E-8C7350E88A01“, “processUniqueID: 85, “threadID: 1383910, “timestamp:2019-09-22 06:24:07.668536-0400“, “traceID: 2065501346005252, “messageType:Info“, “activityID: 854237, “processID: 85, “machTimestamp: 394733628137612, “timezoneName: “”, ““, “senderProgramCounter: 65579, “eventMessage:ODNodeCreateRecord request, NodeID: 0A1D-30AA-4FA7-B1C1-12E9F78DFF20, RecordType: dsRecTypeStandard:Users, RecordName: <private>, Attributes: {\n \dsAttrTypeStandard:Comment\= (\n );\n \dsAttrTypeStandard:EMailAddress\= (\n );\n \dsAttrTypeStandard:FirstName\= (\n );\n \dsAttrTypeStandard:HomeDirectory\= (\n );\n \dsAttrTypeStandard:HomeDirectoryQuota\= (\n 0\n );\n \dsAttrTypeStandard:Keywords\= (\n );\n \dsAttrTypeStandard:LastName\= (\n barbie\n );\n \dsAttrTypeStandard:NFSHomeDirectory\= (\n \\/Users\/barbie\\n );\n \dsAttrTypeStandard:PrimaryGroupID\= (\n 20\n );\n \dsAttrTypeStandard:RealName\= (\n barbie\n );\n \dsAttrTypeStandard:RecordName\= (\n barbie\n );\n \dsAttrTypeStandard:UniqueID\= (\n 1006\n );\n \dsAttrTypeStandard:UserShell\= (\n \\/bin\/bash\\n );\n}”, “senderImageUUID:D350A9B3-0037-332C-8D8E-8C7350E88A01“, “processImagePath:\/usr\/libexec\/opendirectoryd“, “senderImagePath:\/usr\/libexec\/opendirectoryd” }


Delete a record, “eventMessage:Delete a record“, “processImagePath:\/Applications\/\/Contents\/MacOS\/Server“,

{ “processImageUUID:388D1B12-E930-3D81-AB34-6EFAA44E12EF“, “processUniqueID: 28164, “threadID: 1386945, “timestamp:2019-09-22 06:32:34.581205-0400“, “traceID: 1181143700349387010, “eventType:OSActivityCreateEvent“, “activityID: 857809, “processID: 28164, “machTimestamp: 395240545174841, “timezoneName: “”, “senderProgramCounter: 56111, “eventMessage:Delete a record“, “senderImageUUID:29F55F7B-379F-3053-8FF3-5C6675A3DD4D“, “processImagePath:\/Applications\/\/Contents\/MacOS\/Server“, “senderImagePath:\/System\/Library\/Frameworks\/OpenDirectory.framework\/Versions\/A\/Frameworks\/CFOpenDirectory.framework\/Versions\/A\/CFOpenDirectory” }



Screen Shot 2019-09-22 at 6.28.36 AM